Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Virtumondo; CWS.Look2Me [RESOLVED]

isaac608

Posted 02 October 2005 - 10:46 AM

isaac608

Member

Member

13 posts

Greetings:

I can't seem to get rid of the Virtumondo spyware problem on my computer. My Microsoft AntiSpy program keeps finding it. Try to fix it, but it keeps coming back. I have tried turning off windows restore, turing off spybot tea timer, turning off AntiSpy real-time protection, and running the cleaning programs in safe mode, but nothing has worked. The internet is slow and the webpage occasionally gets redirected to adware.

Also, CWShredder couldn't get rid of "Look2Me"--it kept coming back on reboot.

I have done the "required steps" before posting:

1) I ran cleanup and deleted everything2) I ran AdAware SE as requested--no problems found3) I ran CWShredder--it found "Look2Me" but could not delete it4) I ran a SpyBot scan--no problems found5) I ran a Trend Housecall virus scan--no problems found.6) I checked windows update--no updates available7) I rebooted again and ran MS AntiSpy--it still found the Virtumondo bug. I also ran CWShredder again & it found the Look2Me problem again too.8) I ran a Hijack this scan (results below)

Advertisements

greyknight17

Posted 03 October 2005 - 02:33 PM

greyknight17

Malware Expert

Visiting Consultant

16,560 posts

Hi Isaac and welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

* Double-click VundoFix.exe to extract the files.* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key (or F5 in some machines) until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.* Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat* Please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\geebc.dll

* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.* When asked for a second path, enter -> C:\WINDOWS\system32\cbeeg.** Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.* The fix will run then HijackThis will open.* In HijackThis, please place a check next to the following items and click FIX CHECKED:

* After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.* Pressing any key will cause a 'Blue Screen of Death' this is normal, do not worry!* Once your machine reboots please continue with the instructions below.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).Set the program up as follows:Click 'Options...'Move the arrow down to 'Custom CleanUp!'Put a check next to the following (Make sure nothing else is checked!):

isaac608

Posted 03 October 2005 - 08:09 PM

isaac608

Member

Topic Starter

Member

13 posts

Thank you for your quick response! I followed the steps you outlined. The logs will be on posts to follow this one.

A few issues that I'm not sure matter:

1) the "blue screen of death" wouldn't go away so I hard rebooted
2) When windows booted up after the safe mode instructions an error message saying that CWShredder had an error and had to close came up
3) I hadn't disabled Sbybot Tea Timer or MS Anti Spy before starting so when windows loaded up there were a bunch of warnings. I disabled both of them, but I'm not sure if any of the cleaning was blocked.

isaac608

Posted 03 October 2005 - 09:19 PM

isaac608

Posted 03 October 2005 - 10:03 PM

isaac608

Member

Topic Starter

Member

13 posts

Grr, I'll have to post the scans in the morning. The panda scan has frozen the computer 3 times now, so I'm running it in safe mode (it was getting hung up on files of programs that were running in the background I think). Thanks for your patience. -Isaac

greyknight17

Posted 03 October 2005 - 10:19 PM

No problem Isaac. Try closing your antivirus program also while running the online scan if it's giving you problems.

If it still gives you problems, do this instead:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

1. Install Ewido Security Suite.2. When installing, under 'Additional Options' uncheck:* Install background guard* Install scan via context menu3. Launch Ewido, there should be an icon on your desktop, double click it.4. The program will now open to the main screen.5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.6. You will need to update Ewido to the latest definition files.* On the left hand side of the main screen click update.* Then click on Start Update.7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.8. Exit Ewido. DO NOT scan yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner* Click on Complete System Scan and the scan will begin.* NOTE: During some scans with Ewido it is finding cases of false positives.o You will need to step through the process of cleaning files one-by-one.o If Ewido detects a file you KNOW to be legitimate, select none as the action.o Do NOT select 'Perform action on all infections'o If you are unsure of any entry found, select none for now as the action.* Once the scan has completed, there will be a button located on the bottom of the screen named Save report* Click Save report.* Save the report .txt file to your desktop or a location where you can find it easily.

Advertisements

greyknight17

Posted 04 October 2005 - 08:17 AM

Could you use your mouse to highlight the rest of the information in the Panda site though? Just use the mouse to highlight lower to see if it will allow you to do it.

Check and fix this in HijackThis:

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes: